Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

SALARY SURVEY RESULTS POSTED

SALARY SURVEY RESULTS POSTED*****This Issue Brought To You By LURHQ Managed Security Solutions*****
Sobig variants have been plaguing organizations since the beginning of
the year. Each new version brings an ever-increasing flood of spam,
placing enormous strains on corporate networks.
Learn how Sobig operates and how you can protect your organization by
reading this analysis of the Sobig family:
http://www.lurhq.com/sans-ih.html*********************************************************************

TOP OF THE NEWS

Karen Evans Nominated for The Top US Government IT Position (3 September 2003)

President Bush says he will nominate Karen Evans to replace Mark Forman in the position of federal government technology chief in the Office of Management and Budget (OMB). Evans is currently the Department of Energy's chief information officer (CIO). -http://www.govexec.com/dailyfed/0903/090303a1.htm[Editor's Note (Paller): Karen Evans' selection as the top IT person in government will prove to be a defining moment in the fight against cybercrime. For years experts have called on the federal government to become a model of cyber security leadership. No one in the country is better suited to make that happen. ]

ISPs Could Block Ports to Reduce Spread of Malware (8 September 2003)

A report written by Johannes Ullrich, SANS Internet Storm Center CTO, proposes that Internet service providers (ISPs) block access to "commonly exploited" communications ports on customers' computers. While it would not prevent all Internet threats, it could address a bulk of the problems. The four ports, 135, 137, 139 and 445, are not necessary for most Internet use. The proposal is aimed at ISPs that serve individual customers and universities, not those that serve corporate customers. -http://www.nwfusion.com/edge/news/2003/0908studyisps.html-http://www.sans.org/rr/special/isp_blocking.pdf[Editor's Note (Ranum): It's good that we are finally reinventing "default deny"! Historically, though, this has been countered by unsupported claims of reduced performance due to router filtering rules ]

Colleges Cracking Down on Infected Student Computers (4 September 2003)

Colleges and universities across the United States are taking extra precautions against computer worms and viruses and passing some of that responsibility and liability off to the students. Oberlin College (Ohio) students will be fined $25 if they inadvertently spread a virus. At some institutions, students have to prove they've had their computers "cleaned" of viruses before they're allowed to connect to the school's network. Virginia's George Mason University cut Internet access for all 3,600 students; too few students confirmed that the computers they brought to school had all necessary security upgrades. Some schools require that all students have their computer checked for viruses. -http://www.washingtonpost.com/ac2/wp-dyn/A25845-2003Sep4?language=printer-http://www.msnbc.com/news/961943.asp?0dm=C14MT[Editor's Note (Schultz): I'm glad to see that universities are starting to adopt measures such as these. Having users take responsibility for their own computers is a big part of a successful security strategy. (Schneier): I suspect part of the problem is the multiplicity of operating systems and setups. But providing or requiring purchase of a uniform version of one brand of antivirus software would seem to be a major step in the right direction. ]

NRC Issues Security Warning to Plant Operators (3 September 2003)

In a nod to the need to address computer security in the nuclear power industry, the US Nuclear Regulatory Commission (NRC) has issued an Information Notice to plant operators; the notice describes the problems faced by the Davis-Besse nuclear power plant when the Slammer worm infected the plant's computer network. The notice does not provide any recommendations. -http://www.securityfocus.com/printable/news/6868[Editor's Note (Schneier): Biometrics for authentication is an appropriate use of the technology. ]************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
1) Stop Network Attacks versus just Detecting. Intrusion Prevention
Essentials White Paper
http://www.sans.org/cgi-bin/sanspromo/NB223(2) EVERY NETWORK ATTACK BEGINS WITH AN ATTACKER. Neutralize the
source. FREE Demo.
http://www.sans.org/cgi-bin/sanspromo/NB224(3) WHITE PAPER - 10 leading enterprise techniques to control spam ***
request paper
http://www.sans.org/cgi-bin/sanspromo/NB225***********************************************************************

Two Computers Stolen From Sydney Airport in Broad Daylight (5 September 2003)

Two men posing as technicians got past security at cargo processing and intelligence center at Sydney International Airport, gained access to the top security mainframe room, and made off with two computers, wheeling them out of the room on a cart. Australian Customs service said "no sensitive operational data [were ] lost." The theft occurred on August 27th; Customs neglected to mention the incident at a recent parliamentary inquiry. -http://www.smh.com.au/articles/2003/09/04/1062548967124.html-http://www.theregister.co.uk/content/55/32677.html[Editor's Note (Schneier): A useful reminder that computer-related theft doesn't have to be high-tech. ]

FBI counterterrorism chief Larry A. Mefford said his agency's cyber division "has found no indication to date that the blackout was the result of a malicious computer-related intrusion or any sort of computer worm or virus attack." However, the group is examining utility control computer logs to investigate the possibility of insider involvement. -http://www.computerworld.com/printthis/2003/0,4814,84640,00.html[Editor's Note (Schneier): This looks more like an attempt to spread FUD than anything. If people hear "there's no clear evidence that the blackout was related to cyberterrorism" often enough, they are then going to assume that it was in fact related, and the proof is being kept secret? (Grefer): Historically, the focus of utility control computer logs has been on tracking operational data. There has been very little emphasis on information security aspects in this particular industry. Consequently, it would be difficult to find such indications, and the focus of the investigation would as a result shift to readily available data. ]

Not only have MSBlast, its variants and the Sobig.F worm caused companies to spend more of their budgets on IT security, but the worms have also made organizations rethink traditional security methods and adding layers to their security models. Heuristic antivirus detection, which is behavior rather than signature based, did a good job of detecting Sobig.F because the worm acted much like spam. Support for this shift in anti-virus thinking is borne out by research conducted at Hewlett-Packard's Bristol (UK) laboratories which indicates that current anti-virus methods are not effective because large numbers of infections can occur before new anti-virus signatures become available. Hewlett-Packard researcher Matthew Williamson's research showed that even if a virus signature is available from the moment that virus is released, viruses can now spread rapidly enough that the availability of the signature will not stem the tide of infection. -http://www.newscientist.com/news/news.jsp?id=ns99994119-http://www.vnunet.com/News/1143377[Editor's Note (Grefer): Heuristic antivirus detection has been commercially available since the 80s. While heuristic methods can be very helpful in detecting unusual patterns, commonly they also lead to a substantial number of false positives. ]

Man Pleads Guilty to Password Trafficking (3 September 2003)

A former American Eagle Outfitters employee has pleaded guilty to password trafficking and computer damage aimed at hurting the company's business. Kenneth Patterson of Greensburg, PA, allegedly posted American Eagle Outfitters password information on the Internet; he also posted information about how to break into the company's computer system. Patterson could receive a sentence of 11 years in prison or a fine of $350,000 or both; sentencing is set for December 2. -http://www.thepittsburghchannel.com/news/2451248/detail.html

Parson Claims He Was Helping Feds (3 September 2003)

Jeffrey Lee Parson, the Minnesota teenager arrested in connection with the MSBlast.B worm, said in an off-camera interview that the government has exaggerated the case against him. He also takes exception to the media's portrayal of him as a depressed loner with no respect for authority. Parson maintains that he believed he was helping the government in their attempt to track down the author of the original and much more virulent form of the worm. In addition, Parson claims he was never read his Miranda rights. -http://www.theregister.co.uk/content/56/32635.html-http://www.msnbc.com/news/960926.asp

DOD Will Incorporate Biometrics Into Security Measures by 2010 (2 September 2003)

The Defense Department's (DOD) Biometrics Management Office (BMO) has released as a memo outlining the steps it plans to take toward incorporating biometric identification technology into physical and data access security on both classified and unclassified systems by 2010 as a part of a multilayered security strategy. The memo, dated August 25 of this year and signed by deputy secretary of Defense Mark Wolfowitz, will eventually be incorporated into a directive and implementation instructions. -http://www.gcn.com/vol1_no1/daily-updates/23379-1.html-http://www.fcw.com/fcw/articles/2003/0901/web-biom-09-02-03.asp

Navy Investigating NMCI Infection (29 August 2003)

The Navy has launched an inquiry aimed at finding out how the Welchia worm found its way into the Navy Marine Corps Intranet (NMCI). This is the first infection the NMCI has suffered since users began switching over from legacy systems in 2001. The Naval Network Warfare Command, which is leading the investigation, is focusing largely on the events that led up to the infection; the Navy's response to the worm was effective as they managed to contain the infection rather quickly. -http://www.fcw.com/fcw/articles/2003/0825/web-worm-08-29-03.asp

Does Sobig Have Anything to do with DDoS Attacks on Anti-Spam Sites? (29 August 2003)

A number of major anti-spam websites have fallen prey to distributed denial of service (DDoS) attacks in recent months; some believe there is a correlation between the attacks and the proliferation of the Sobig worm. A Sobig variant discovered in June turns infected machines into open proxies, which are capable of sending out spam. Those infected computers could also be used to launch DDoS attacks like those aimed at the Spam Prevention Early Warning System (spews.org), the Spam Open Relay Blocking System (sorbs.net) and Osirusoft, which has ceased operation. -http://www.pcworld.com/resource/printable/article/0,aid,112261,00.asp

NIST Draft Special Publication 800-38C: CCM Mode

Draft Special Publication 800-38C, "Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality," is now available for review at -http://csrc.nist.gov/publications/drafts.html. The draft specifies the CCM mode of operation of the Advanced Encryption Standard (AES) algorithm. CCM combines the counter authentication code (CBC-MAC) technique for authentication and data integrity. The specification of CCM is intended to be compatible with the use of CCM within the draft IEEE 802.11i standard. NIST welcomes public comments until October 20, 2003. Send comments to EncryptionModes@nist.gov.

Justice Official Calls For Parents To Educate Children On Cyber Ethics

Marti Stansell-Gamm, head of the Justice Department's Computer Crime and Intellectual Property Section, says parents should pay more attention to what their kids are doing online. -http://www.msnbc.com/news/962420.asp

SALARY SURVEY RESULTS POSTED

SALARY SURVEY RESULTS POSTED

The results of the SAGE/SANS/BigAdmin salary survey for individuals have arrived. This year's most interesting result is that those who are employed are, in general, continuing on reasonable compensation paths. The 68 page summary is packed with graphs, charts, and analysis. The accompanying set of comments illuminates some of the issues on the minds of the almost 10,000 respondents. The results are available to SANS portal members only. You may visit -http://portal.sans.org to establish your personal portal account. Then login in to the portal to view the survey data.
==end==
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, Marcus
Ranum, Eugene Schultz, Gal Shpantzer
Guest Editor: Bruce Schneier
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/